In its final guidance issued last week, the Food and Drug Administration is requesting that device makers assess what information hackers might target in connection with their devices, how hackers might attempt to access the information, and how device makers intend to address these issues both before and after putting their products on the market. In addition, FDA is requesting that device makers report in to the agency on a continuing basis regarding cybersecurity incidents that arise after product approval.

Medical devices currently on the market are considered to be relatively easy to hack, according to cybersecurity experts. Cybersecurity and device usability, unfortunately, tend to exist in inverse relation so the challenge for device makers is to find a workable balance between the two.

Computer virus infections of medical devices continue to be a serious issue, keeping healthcare provider IT departments busy removing malware. (See our October 2012 blog post "Computer viruses on hospital medical devices: a growing concern; possible solutions"). The FDA has issued a warning regarding this threat, and is now asking, although not yet requiring, both healthcare providers and medical device manufacturers to take additional steps to heighten cybersecurity.

The Food and Drug Administration issued a notice on Thursday asking medical device manufacturers and healthcare facilities to introduce controls that would guard against cyberattacks on medical equipment and hospital networks.

Because many medical devices connect to the Internet, they are at risk of being infected with computer viruses that can affect the way they operate, putting patients' health in jeopardy. And devices and networks that are not properly secured leave them and the data they contain vulnerable to unauthorized access and use.

“Despite the fact that there has been no patient harm as the result of either inadvertent or intentional cybersecurity breaches, we understand FDA's desire to be cautious in this area,” Janet Trunzo, senior executive vice president of technology and regulatory affairs for the Advanced Medical Technology Association, said in a statement. “Our industry provides many life-saving or life-enhancing devices. So, it is important for both the manufacturers and the users of these devices to be aware of the potential for cybersecurity breaches.”

The FDA is recommending that manufacturers implement security controls such as user authentication, stronger passwords, physical locks and card readers. Other suggestions include security patches and restrictions on updates to authenticated code, as well as design approaches that maintain a device's critical functionality even in the event of an attack or breach.

Healthcare facilities, according to the FDA, should restrict unauthorized access to networks and devices, update antivirus software and firewalls, monitor network activity, and also develop strategies to maintain critical functionality when security is compromised.

The FDA is also requesting that manufacturers and healthcare personnel report cybersecurity events to MedWatch, their Safety Information and Adverse Event Reporting program, so as to identify vulnerabilities in an effort to reduce future incidents.

In a sure sign of the times, Drchrono, which offers a free electronic health record platform on the iPad, became the first iPad app to receive official ONC-ACTB certification. According to Healthcare IT News, "the drchrono EHR platform has been awarded ambulatory certification (ONC-ATCB) as a Complete EHR by San Luis Obispo, Calif.-based InfoGard, an Office of the National Coordinator (ONC) Authorized Testing and Certification Body (ATCB)". The app tracks a provider's use of the EHR and offers them key metrics to report to CMS, and includes many other features, such as billing and e-prescribing.

This is a huge step for a mobile EHR app, but its maker's regulatory hurdles may not be over. Last week, we reported on the FDA potentially regulating the market of mobile healthcare devices and applications. Electronic and personal health records could be exempt from such regulation, unless the FDA adopts a broad definition of "clinical decision support," which includes decisions based on the information given to a provider via the EHR app or device.

Moreover, use of such mobile apps or devices in healthcare presents providers with a very long list of legal concerns. Privacy and security of patient data, compliance with state and federal laws (including Stark and anti-kickback statutes), assumption of risk and liability, along with many other critical issues, should be addressed in the contract between the healthcare provider and vendor of such software.

On July 19, 2011, the U.S. Food and Drug Administration (FDA) issued a guidance regarding the agency's plans to regulate select software applications intended for use on mobile platforms (mobile applications or "mobile apps"). According to the Washington Post, the FDA proposed to regulate only those mobile apps which: (1) act as an accessory to a regulated medical device; (2) turn a mobile device or gadget into a regulated device; and/or (3) make suggestions regarding a patient's diagnosis or treatment. Via the Post:

For example, an app that allows radiologists to view X-rays on an iPad or that turns an Android phone into a heart monitor would be regulated. But an app that stores medical records or provides training videos to physicians would not.

'We wanted to make sure that we are consistent in regulating medical devices so nothing has changed,' [FDA policy adviser Baku] Patel said. If 'somebody makes a stethoscope on an iPhone, it doesn’t change the level of oversight we have of a stethoscope.'

FDA's guidance does not establish any legally enforceable responsibilities, but describes FDA's current thinking on this topic and should be viewed only as recommendations. The agency will collect input from manufacturers and healthcare providers over the next 90 days.